Installing FreeIPA on CentOS 7 - "kinit: Cannot contact any KDC for realm" [closed]

asked 2015-03-13 19:17:46 +0000

chrischarles2002 gravatar image

I am trying to install a new stand alone instance of FreeIPA on CentOS 7.

I am doing this in an Amazon AWS EC2 environment.

The install completes flawlessly every time, however, when I attempt to run for the first time:

kinit admin

I always get back:

kinit: Cannot contact any KDC for realm 'DOMAIN.COM' while getting initial credentials

Googling, I found a way to trace this command:

KRB5_TRACE=/dev/stdout kinit admin

In which case I get the following output:

[root@ipa1 ~]# KRB5_TRACE=/dev/stdout kinit admin
[3320] 1426267179.15039: Getting initial credentials for admin@DOMAIN.COM
[3320] 1426267179.17085: Sending request (164 bytes) to DOMAIN.COM
[3320] 1426267179.17225: Resolving hostname ipa1.domain.com
[3320] 1426267179.17715: Sending initial UDP request to dgram 10.209.10.19:88
[3320] 1426267179.17786: UDP error receiving from dgram 10.209.10.19:88: 111/Connection refused
[3320] 1426267179.18382: Initiating TCP connection to stream 10.209.10.19:88
[3320] 1426267179.18431: Terminating TCP connection to stream 10.209.10.19:88
kinit: Cannot contact any KDC for realm 'DOMAIN.COM' while getting initial credentials

Continuing to Google for "UDP error receiving from dgram" & "Connection refused", I see that this is a common recent issue with the FreeIPA install, but have yet to find a posted solution.

Here are the packages that I have installed:

   [root@ipa1 ~]# rpm -qa  | grep ipa
ipa-python-3.3.3-28.0.1.el7.centos.3.x86_64
python-iniparse-0.4-9.el7.noarch
sssd-ipa-1.11.2-68.el7_0.6.x86_64
ipa-client-3.3.3-28.0.1.el7.centos.3.x86_64
ipa-server-3.3.3-28.0.1.el7.centos.3.x86_64
libipa_hbac-1.11.2-68.el7_0.6.x86_64
ipa-admintools-3.3.3-28.0.1.el7.centos.3.x86_64
libipa_hbac-python-1.11.2-68.el7_0.6.x86_64

Does anyone know how to get around this issue to complete the install on CentOS 7 in Amazon AWS EC2?

Thanks in advance.

edit retag flag offensive reopen merge delete

Closed for the following reason question is off-topic or not relevant by randomuser
close date 2015-03-14 05:55:49.666884

Comments

That command is attempting to communicate with a Key Distribution Center for the Kerberos realm "DOMAIN.COM." It appears the KDC is identified as ipa1.domain.com and the DNS service for the system succeeds in resolving that domain name to 10.209.10.19. It then attempts to establish UDP communications with the ipa1.domain.com system, but fails. Is that what you expect to be happening when you run this command? If so, I guess you need to ensure the KDC service is up and running, ready for connections, and that the system targeted for installation can successfully communicate with ipa1.

bitwiseoperator ( 2015-03-14 04:41:41 +0000 )edit

On Fedora, you can use rolekit to deploy FreeIPA and it just works; it can be a complex stack to set up without that. On Centos, you should use the CentOS forum or mailing list. Centos and Fedora are different, and advice for often doesn't apply to the other, especially for something this complicated.

randomuser ( 2015-03-14 05:55:36 +0000 )edit

This right here helped me more than most other things when I got to this point: KRB5_TRACE=/dev/stdout kinit admin Thanks for that!

harper519 ( 2015-09-13 20:02:39 +0000 )edit

This helped me a ton! Thanks!

Andrew Rothstein ( 2016-09-06 03:02:48 +0000 )edit